Sometimes, you need to patch your project files until a bugfix is shipped to the upstream repository. cweagans/composer-patches is a Composer package that automates applying patches during the Composer install procedure.
Last weekend at the Mage Titans Conference in Manchester, the sansec folks announced their new Composer Integrity Plugin project.
Composer 2.4 introduced a new command to check the dependencies in your projects for known vulnerabilities.
Sometimes folders like node_modules consume too much space and then a small cleanup may be needed.
A few weeks ago, whilst applying the latest security patches for Magento, I ran into a problem in our build pipeline. The patches could be applied locally without any issues, but in our build pipeline applying the patches failed.
A few days ago Jordi announced the first dev build of Composer 2.0. I immediately went and downloaded it. Since version 2.x should be a lot faster, I thought it is a good idea to test it against a current Magento 2 project I am working on. I was a bit disappointed first because Composer failed with quite a few errors like that:
Sometimes you run into this situation when a git pull will respond with Merge conflict in config.php. How to solve this issue in a proper way? Let's have a look how other people solve similar issues, namely my friend Mr. Rafael Dohms. Quite a while ago he blogged about a similar problem on how to solve conflicts in Composer's lock file. This is what I learned from his blog post:
This blog post has been sitting on my desk for quite a while but due to a lot of work in the last weeks I was not able to finish it earlier. Luckily, I found some time during my travels to finish the blog post and share my findings on the "require-dev gone wrong!" problem. While some people thought the former blog post was mostly click bait or proposed a "fix" which does not actually solve the general problem, I actually got a lot of good feedback on twitter. Even an issue for Composer was created to discuss the problem even though it was closed by now.
For a long time, I have been advocating to make use of require-dev to install development tools locally. We use this on a daily basis to install tools like Phing, PHPUnit or phpDocumentor locally for each of our (customer) projects. Given that our focus is on custom projects, this absolutely makes sense. I do not want our projects to use an old version of a given tool or update all our projects constantly to use the latest version of all the tools involved. In addition to that, a simple composer.phar install in the project root should be sufficient to install all dependencies required to build and run the project.